Another Day, Another Massive Data Breach

September 8, 2017 at 8:48 am 2 comments

Equifax, one of the big three credit reporting agencies, yesterday disclosed a “massive data breach” that may impact half the U.S. population. The breach includes the compromise of social security numbers, birth dates and up to 290,000 credit card numbers.

Let’s face it. It’s the same old song with a different tune. This is yet another example of why we need national standards and a national framework for dealing with data breaches and their consequences. In fairness to Equifax, it’s too early to know if the breach was a result of mistakes on its part or simply the end result of some talented hacking carried out in spite of adherence to prudent safeguards. But when I hear Equifax’s CEO explain that he is “deeply disappointed” by the break in, my guess is a lawsuit isn’t too far away.

Unfortunately, it’s far from clear precisely how much liability Equifax will face even if it was negligent in safeguarding this sensitive information. In 2016, the Supreme Court held in Spokeo, Inc. v. Robbins 136 S.CT. 1540 (2016) that in order for a plaintiff to have standing to sue in Federal court, the harm caused must be “concrete and particularized and actual or imminent, not conjectural or hypothetical.”

The standard has been a particularly tricky one for the courts to deal with in the context of data breaches. In a decision in August, Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), the U.S. Court of Appeals for the D.C. Circuit held that the lawsuit against health insurer, Care First, Inc. could go forward. It ruled that so long as customers could prove that their names, birth dates and email addresses were compromised, they were being harmed by the imminent risk of a data breach. Similar logic was adopted by the 3rd Circuit In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017)

However, not all circuits agree. In re SuperValu, Inc., No. 16-2378, 2017 WL 3722455, at *1 (8th Cir. Aug. 30, 2017), the 3rd Circuit Court ruled that consumers whose information may have been compromised by a data breach, lacked standing to sue the company. A reason that a mere possibility that an individual’s data may be used against them does not constitute enough harm to bring a lawsuit.

My guess is, the Supreme Court will take up this issue, maybe as early as this upcoming term. In the meantime, at some point Congress will come to its senses and pass meaningful comprehensive data breach protection legislation…and people say I’m cynical.

NCUA Releases Second Quarter Performance Data

The industry received its second quarter report card. It continues to show strong performance by the credit unions in the aggregate but it also continues to show that if you’re not big, there’s a good chance that your credit union is struggling. On that cynical note, I expect you all to enjoy your weekend and do nothing on Sunday but watch football. I hope to see some of you Monday at our annual Legal and Compliance Conference.

 

Entry filed under: Legal Watch, Political. Tags: , , .

Will Credit Unions Have Access To A Faster Payments System? Proposed Legislation Would Deal Fatal Blow To The Industry

2 Comments Add your own

  • 1. C. Richard Wagner  |  September 11, 2017 at 10:18 am

    What excuse does Equifax have for waiting SIX WEEKS after they knew of the breach??? Some of Equifax’s senior officers cashed in some of Equifax stock after the breach and before the breach was publicly announced, according to the media report of the breach. That’s disgraceful!! C. Richard Wagner , Municipal Credit Union

    Reply
  • […] the growing use of synthetic identity also underscores is how federal courts have too narrowly interpreted standing when it comes to bringing data breach lawsuits. If courts continue to insist on plaintiffs showing […]

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 757 other followers

Archives


%d bloggers like this: